domain logons

This option configures Samba to accept domain logons as a primary
domain controller. When a client successfully logs on to the domain,
Samba will return a special token to the client that allows the
client to access domain shares without consulting the PDC again for
authentication. Note that the Samba machine must employ user-level
security (security=user) and must be the PDC for this option to
function. In addition, Windows machines will expect a
[netlogon] share to exist on the Samba server.

domain master

In a Windows network, a local master browser handles browsing within
a subnet. A Windows domain can be made up of a number of subnets,
each of which has its own local master browser. The primary domain
controller serves the function of domain master browser, collecting
the browse lists from the local master browser of each subnet. Each
local master browser queries the domain master browser and adds the
information about other subnets to their own browse lists. When Samba
is configured as a primary domain controller, it automatically sets
domainmaster=yes, making itself the domain
master browser.

Because Windows NT PDCs always claim the role of domain master
browser, Samba should never be allowed to be domain master if there
is a Windows PDC in the domain.

add user script

There are two ways in which adduserscript can be used. When
the Samba server is set up as a primary domain controller, it can be
assigned to a command that will run on the Samba server to add a
Windows NT/2000/XP computer account to Samba’s
password database. When the user on the Windows system changes the
computer’s settings to join a domain, he is asked
for the username and password of a user who has administrative rights
on the domain controller. Samba authenticates this user and then runs
the adduserscript with root permissions.

When Samba is configured as a domain member server, the
adduserscript can be assigned to a command to add a user
to the system. This allows Windows clients to add users that can
access shares on the Samba system without requiring an administrator
to create the account manually on the Samba host.

delete user script

There are times when users are automatically deleted from the domain,
and the deleteuserscript can be assigned to a command that removes a
user from the Samba host as a Windows server would do. However, you
might not want this to happen, because the Unix user might need the
account for reasons other than use with Samba. Therefore, we
recommend that you be very careful about using this option.

domain admin group

In a domain of Windows systems, it is possible for a server to get a
list of the members of the Domain Admins group from a domain
controller. Samba 2.2 does not have the ability to handle this, and
the domainadmingroup parameter exists as a manual means of
informing Samba who is in the group. The list should contain root
(necessary for adding computer accounts) and any users on Windows
NT/2000/XP clients in the domain who are in the Domain Admins group.
These users must be recognized by the primary controller in order for
them to perform some administrative duties such as adding users to
the domain.

password server

In a Windows domain in which the domain controllers are a Windows
primary domain controller, along with any number of Windows backup
domain controllers, clients and domain member servers authenticate
users by querying either the PDC or any of the BDCs. When Samba is
configured as a domain member server, the passwordserver parameter allows some control over how
Samba finds a domain controller. Earlier versions of Samba could not
use the same method that Windows systems use, and it was necessary to
specify a list of systems to try. When you set
passwordserver=*, Samba 2.2 is able to find
the domain controller in the same manner that Windows does, which
helps to spread the requests over several backup domain controllers,
minimizing the possibility of them becoming overloaded with
authentication requests. We recommend that you use this method.

machine password timeout

The machinepasswordtimeout global option sets a retention period for
Windows NT domain machine passwords. The default is currently set to
the same time period that Windows NT 4.0 uses: 604,800 seconds (one
week). Samba will periodically attempt to change the
machine account password, which is a password
used specifically by another server to report changes to it. This
option specifies the number of seconds that Samba should wait before
attempting to change that password. The timeout period can be changed
to a single day by specifying the following:

[global]
machine password timeout = 86400

Tip

If you would like more information on how Windows NT uses domain
usernames and groups, we recommend Eric Pearce’s
Windows NT in a Nutshell, published by
O’Reilly.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training,
learning paths, books, interactive tutorials, and more.